SecuriTricks - CVE-2025-66270

Description

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

Product(s) Impacted

Product	Versions
kde_connect	<25.12
kde_connect	0.5.4
kde_connect	1.34.4
gsconnect	<68
valent	<1.0.0.alpha.49

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-290

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References

https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3

https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce

https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9

https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080

https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e

https://kde.org/info/security/advisory-20251128-1.txt

CVSS Score

4.7 / 10

CVSS Data - 3.1

Attack Vector: ADJACENT_NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

View Vector String

Timeline

Published: Dec. 5, 2025, 6:16 a.m.
Last Modified: Dec. 8, 2025, 6:27 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cve@mitre.org

CVE-2025-66270